• Dmitry Osipenko's avatar
    drm/tegra: Check for malformed offsets and sizes in the 'submit' IOCTL · 368f622c
    Dmitry Osipenko authored
    If commands buffer claims a number of words that is higher than its BO can
    fit, a kernel OOPS will be fired on the out-of-bounds BO access. This was
    triggered by an opentegra Xorg driver that erroneously pushed too many
    commands to the pushbuf.
    
    The CDMA commands buffer address is 4 bytes aligned, so check its
    alignment.
    
    The maximum number of the CDMA gather fetches is 16383, add a check for
    it.
    
    Add a sanity check for the relocations in a same way.
    
    [   46.829393] Unable to handle kernel paging request at virtual address f09b2000
    ...
    [<c04a3ba4>] (host1x_job_pin) from [<c04dfcd0>] (tegra_drm_submit+0x474/0x510)
    [<c04dfcd0>] (tegra_drm_submit) from [<c04deea0>] (tegra_submit+0x50/0x6c)
    [<c04deea0>] (tegra_submit) from [<c04c07c0>] (drm_ioctl+0x1e4/0x3ec)
    [<c04c07c0>] (drm_ioctl) from [<c02541a0>] (do_vfs_ioctl+0x9c/0x8e4)
    [<c02541a0>] (do_vfs_ioctl) from [<c0254a1c>] (SyS_ioctl+0x34/0x5c)
    [<c0254a1c>] (SyS_ioctl) from [<c0107640>] (ret_fast_syscall+0x0/0x3c)
    Signed-off-by: default avatarDmitry Osipenko <digetx@gmail.com>
    Reviewed-by: default avatarErik Faye-Lund <kusmabite@gmail.com>
    Reviewed-by: default avatarMikko Perttunen <mperttunen@nvidia.com>
    Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
    368f622c
gem.c 13.8 KB